"What is positive is that the penalties are structured in a manner to create adequate deterrence. It will clearly drive the industry to create a safer ecosystem in the data economy," he said.

The draft -- which comes within months of the European Union enforcing similar safeguards for user data -- provides for a penalty of Rs 15 crore or 4 per cent of the total worldwide turnover of any data collection entity, including the state, for violation of personal data processing provisions.

Failure to take prompt action on a data security breach can attract up to Rs 5 crore or 2 per cent of turnover, whichever is higher, as penalty.

The draft has also asked the Centre to identify "critical personal data" that would have to be mandatorily processed within Indian borders, a move that is likely to have implications for technology firms, especially those in areas like finance and healthcare.

"Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies... The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India," the draft Bill said.

A high-level committee, headed by Justice BN Srikrishna, today handed over the draft Data Protection Bill to IT Minister Ravi Shankar Prasad, who said the framework will now go through inter-ministerial consultation, Cabinet approval and Parliamentary process.

Once enforced, the framework will apply to all entities including Aadhaar.

"Mandating localisation of all personal data as proposed in the bill is likely to become a trade barrier in the key markets. Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets," IT industry body Nasscom said.

It advocated that a healthy balance between privacy and innovation is important, given that India is today emerging as a preferred hub for innovation and hi-tech talent globally.

"Policies that govern data protection, storage and classification need to be carefully crafted given the global footprint of the IT-BPM sector," it said, referring to the over USD 150-billion Indian IT sector.

"The draft does not give users ownership of their data and deprives them of control that they need to be able to delete data from collectors like Facebook and Google. Also, there is no restriction on mass surveillance by government," Nikhil Pahwa, a digital rights activist, said.

He further said it is not feasible to expect every website or app to mirror the data in India and added that doing so, will be a "direct attack" on the global nature of internet.

Another area of concern is that the draft does not mandate entities to inform or disclose data breach incidents that may occur, he said.

Internet and Mobile Association of India (IAMAI) President Subho Ray also welcomed the draft saying it defines the norms, not just for the industry but also the government.

Vidur Gupta, Partner (Government and public sector) at EY India the draft will be a key step towards building the important base of 'trusted' digital India.

"The recommendation of bringing public entities under the ambit of law would not only strengthen the confidence of citizens, but also define specific safety measures for their personal data while using eGovernance services," he said.

(This article has not been edited by Zeebiz editorial team and is auto-generated from an agency feed.)